vanitasvitae
/
openpgp-notes
mirror of https://codeberg.org/openpgp/notes.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

edit GnuPG example

This commit is contained in:
Tammi L. Coles 2024-02-10 13:24:32 +01:00
parent 1f8952971e
commit 98162b87d6
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
book/source/adv/certificates.md
View File

@ -156,19 +156,19 @@ Additionally, to mitigate the risk of certificate flooding, Hagrid currently fil
#### GnuPG
GnuPG offers two explicit methods for certificate minimization, described [in the GnuPG manual](https://www.gnupg.org/documentation/manuals/gnupg-devel/OpenPGP-Key-Management.html) as:
GnuPG introduces two explicit commands for certificate minimization, `clean` and `minimize`, aimed at optimizing certificate size and content.
*clean*
: *Compact (by removing all signatures except the selfsig) any user ID that is no longer usable (e.g. revoked, or expired). Then, remove any signatures that are not usable by the trust calculations. Specifically, this removes any signature that does not validate, any signature that is superseded by a later signature, revoked signatures, and signatures issued by keys that are not present on the keyring.*
The `clean` command streamlines certificates by removing all but the most recent self-signature for user IDs that are no longer usable due to revocation or expiration, and also purges signatures not contributing to trust calculations.
*minimize*
: *Make the key as small as possible. This removes all signatures from each user ID except for the most recent self-signature.*
The `minimize` command further reduces the certificate size by retaining only the latest self-signature for each user ID.
`clean` removes third-party signatures by certificates that are not present in current keyring, as well as other stale data. `minimize` removes superseded signatures that are not needed at the point when the command is executed.
Detailed in the [GnuPG manual](https://www.gnupg.org/documentation/manuals/gnupg-devel/OpenPGP-Key-Management.html), these functionalities allow users to manage their certificates efficiently, directly supporting the goals of minimization.
Independently, GnuPG by default [strips some signatures on key import](https://dev.gnupg.org/T4607#127792)[^gpg-default-strip]. However, a number of Linux distributions change this default behavior, and continue to import signatures without minimization by default. e.g. [Debian](https://dev.gnupg.org/T4628#128513) and Arch Linux: stripping third-party certifications on import, by default, is problematic for users who want to leverage authentication based on the [Web of Trust mechanism](wot).
Moreover, GnuPG's approach to handling incoming certificates includes stripping some signatures by default[^gpg-default-strip] to prevent bloating, although this behavior varies across different Linux distributions. For instance, distributions like Debian and Arch Linux have altered this default setting, affecting how third-party certifications are managed upon import.
[^gpg-default-strip]: GnuPG's changes in the default handling of third-party certifications on imports were prompted by the 2019 [keyserver flooding](keyserver-flooding) event.
This variance underscores the importance of understanding your specific GnuPG configuration and its effects on certificate minimization, especially for users relying on the [Web of Trust mechanism](wot) for authentication.
[^gpg-default-strip]: GnuPG's changes in the default handling of third-party certifications on imports were prompted by the 2019 [keyserver flooding event](https://dev.gnupg.org/T4607#127792).
### Limitations that can result from stripping historical self-signatures